diff options
| author | van Hauser <vh@thc.org> | 2020-02-28 00:19:36 +0100 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-02-28 00:19:36 +0100 |
| commit | 4e37e12c06dda8914dac5175e2f02d3106a3ac9f (patch) | |
| tree | e9dd6683b28e106d763b13983cba64f01c693090 | |
| parent | d83ab141f62c19203e818536a18eb5f4acb8780a (diff) | |
| download | afl++-4e37e12c06dda8914dac5175e2f02d3106a3ac9f.tar.gz | |
code-format
| -rw-r--r-- | gcc_plugin/afl-gcc-fast.c | 4 | ||||
| -rw-r--r-- | include/alloc-inl.h | 199 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 9 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 3 | ||||
| -rw-r--r-- | llvm_mode/cmplog-instructions-pass.cc | 41 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 3 | ||||
| -rw-r--r-- | src/afl-as.c | 10 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 38 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 3 | ||||
| -rw-r--r-- | src/afl-showmap.c | 4 |
10 files changed, 160 insertions, 154 deletions
diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 28190f93..b79e2c34 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -330,7 +330,9 @@ int main(int argc, char** argv, char** envp) { exit(1); - } else if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { + } else if ((isatty(2) && !getenv("AFL_QUIET")) || + + getenv("AFL_DEBUG") != NULL) { SAYF(cCYA "afl-gcc-fast" VERSION cRST " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"); diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 5a8bf7c6..a3cc63ca 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -36,70 +36,87 @@ /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -#define alloc_printf(_str...) ({ \ - u8* _tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ +#define alloc_printf(_str...) \ + ({ \ + \ + u8* _tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char*)_tmp, _len + 1, _str); \ - _tmp; \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char*)_tmp, _len + 1, _str); \ + _tmp; \ + \ }) /* Macro to enforce allocation limits as a last-resort defense against integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) do { \ - if ((_s) > MAX_ALLOC) \ - ABORT("Bad alloc request: %u bytes", (_s)); \ +#define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ } while (0) /* Macro to check malloc() failures and the like. */ -#define ALLOC_CHECK_RESULT(_r, _s) do { \ - if (!(_r)) \ - ABORT("Out of memory: can't allocate %u bytes", (_s)); \ +#define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ } while (0) /* Magic tokens used to mark used / freed chunks. */ -#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ -#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ -#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ +#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ +#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ +#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ /* Positions of guard tokens in relation to the user-visible pointer. */ -#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) -#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) -#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) +#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) +#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) +#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) -#define ALLOC_OFF_HEAD 8 +#define ALLOC_OFF_HEAD 8 #define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) /* Allocator increments for ck_realloc_block(). */ -#define ALLOC_BLK_INC 256 +#define ALLOC_BLK_INC 256 /* Sanity-checking macros for pointers. */ -#define CHECK_PTR(_p) do { \ - if (_p) { \ - if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ - if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ - ABORT("Use after free."); \ - else ABORT("Corrupted head alloc canary."); \ - } \ - if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ - ABORT("Corrupted tail alloc canary."); \ - } \ +#define CHECK_PTR(_p) \ + do { \ + \ + if (_p) { \ + \ + if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ + \ + if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else \ + ABORT("Corrupted head alloc canary."); \ + \ + } \ + if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ + ABORT("Corrupted tail alloc canary."); \ + \ + } \ + \ } while (0) -#define CHECK_PTR_EXPR(_p) ({ \ - typeof (_p) _tmp = (_p); \ - CHECK_PTR(_tmp); \ - _tmp; \ +#define CHECK_PTR_EXPR(_p) \ + ({ \ + \ + typeof(_p) _tmp = (_p); \ + CHECK_PTR(_tmp); \ + _tmp; \ + \ }) - /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -116,14 +133,13 @@ static inline void* DFL_ck_alloc_nozero(u32 size) { ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; return ret; } - /* Allocate a buffer, returning zeroed memory. */ static inline void* DFL_ck_alloc(u32 size) { @@ -137,7 +153,6 @@ static inline void* DFL_ck_alloc(u32 size) { } - /* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD is set, the old memory will be also clobbered with 0xFF. */ @@ -152,7 +167,7 @@ static inline void DFL_ck_free(void* mem) { /* Catch pointer issues sooner. */ memset(mem, 0xFF, ALLOC_S(mem)); -#endif /* DEBUG_BUILD */ +#endif /* DEBUG_BUILD */ ALLOC_C1(mem) = ALLOC_MAGIC_F; @@ -160,7 +175,6 @@ static inline void DFL_ck_free(void* mem) { } - /* Re-allocate a buffer, checking for issues and zeroing any newly-added tail. With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the old memory is clobbered with 0xFF. */ @@ -183,10 +197,10 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) { #ifndef DEBUG_BUILD ALLOC_C1(orig) = ALLOC_MAGIC_F; -#endif /* !DEBUG_BUILD */ +#endif /* !DEBUG_BUILD */ - old_size = ALLOC_S(orig); - orig -= ALLOC_OFF_HEAD; + old_size = ALLOC_S(orig); + orig -= ALLOC_OFF_HEAD; ALLOC_CHECK_SIZE(old_size); @@ -218,22 +232,20 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) { } -#endif /* ^!DEBUG_BUILD */ +#endif /* ^!DEBUG_BUILD */ ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; - if (size > old_size) - memset(ret + old_size, 0, size - old_size); + if (size > old_size) memset(ret + old_size, 0, size - old_size); return ret; } - /* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up repeated small reallocs without complicating the user code). */ @@ -251,13 +263,12 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) { } -#endif /* !DEBUG_BUILD */ +#endif /* !DEBUG_BUILD */ return DFL_ck_realloc(orig, size); } - /* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */ static inline u8* DFL_ck_strdup(u8* str) { @@ -276,14 +287,13 @@ static inline u8* DFL_ck_strdup(u8* str) { ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; return memcpy(ret, str, size); } - /* Create a buffer with a copy of a memory block. Returns NULL for zero-sized or NULL inputs. */ @@ -296,18 +306,17 @@ static inline void* DFL_ck_memdup(void* mem, u32 size) { ALLOC_CHECK_SIZE(size); ret = malloc(size + ALLOC_OFF_TOTAL); ALLOC_CHECK_RESULT(ret, size); - + ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; return memcpy(ret, mem, size); } - /* Create a buffer with a block of text, appending a NUL terminator at the end. Returns NULL for zero-sized or NULL inputs. */ @@ -320,11 +329,11 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { ALLOC_CHECK_SIZE(size); ret = malloc(size + ALLOC_OFF_TOTAL + 1); ALLOC_CHECK_RESULT(ret, size); - + ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; memcpy(ret, mem, size); @@ -334,20 +343,19 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { } - #ifndef DEBUG_BUILD /* In non-debug mode, we just do straightforward aliasing of the above functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free +#define ck_alloc DFL_ck_alloc +#define ck_alloc_nozero DFL_ck_alloc_nozero +#define ck_realloc DFL_ck_realloc +#define ck_realloc_block DFL_ck_realloc_block +#define ck_strdup DFL_ck_strdup +#define ck_memdup DFL_ck_memdup +#define ck_memdup_str DFL_ck_memdup_str +#define ck_free DFL_ck_free #define alloc_report() @@ -358,12 +366,14 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { /* Alloc tracking data structures: */ -#define ALLOC_BUCKETS 4096 +#define ALLOC_BUCKETS 4096 struct TRK_obj { - void *ptr; + + void* ptr; char *file, *func; - u32 line; + u32 line; + }; #ifdef AFL_MAIN @@ -371,22 +381,21 @@ struct TRK_obj { struct TRK_obj* TRK[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS]; -# define alloc_report() TRK_report() +#define alloc_report() TRK_report() #else extern struct TRK_obj* TRK[ALLOC_BUCKETS]; -extern u32 TRK_cnt[ALLOC_BUCKETS]; +extern u32 TRK_cnt[ALLOC_BUCKETS]; -# define alloc_report() +#define alloc_report() -#endif /* ^AFL_MAIN */ +#endif /* ^AFL_MAIN */ /* Bucket-assigning function for a given pointer: */ #define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) - /* Add a new entry to the list of allocated objects. */ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, @@ -404,7 +413,7 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, if (!TRK[bucket][i].ptr) { - TRK[bucket][i].ptr = ptr; + TRK[bucket][i].ptr = ptr; TRK[bucket][i].file = (char*)file; TRK[bucket][i].func = (char*)func; TRK[bucket][i].line = line; @@ -414,10 +423,10 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, /* No space available - allocate more. */ - TRK[bucket] = DFL_ck_realloc_block(TRK[bucket], - (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); + TRK[bucket] = DFL_ck_realloc_block( + TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); - TRK[bucket][i].ptr = ptr; + TRK[bucket][i].ptr = ptr; TRK[bucket][i].file = (char*)file; TRK[bucket][i].func = (char*)func; TRK[bucket][i].line = line; @@ -426,7 +435,6 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, } - /* Remove entry from the list of allocated objects. */ static inline void TRK_free_buf(void* ptr, const char* file, const char* func, @@ -449,12 +457,11 @@ static inline void TRK_free_buf(void* ptr, const char* file, const char* func, } - WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", - func, file, line); + WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", func, file, + line); } - /* Do a final report on all non-deallocated objects. */ static inline void TRK_report(void) { @@ -471,7 +478,6 @@ static inline void TRK_report(void) { } - /* Simple wrappers for non-debugging functions: */ static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, @@ -483,7 +489,6 @@ static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, } - static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, const char* func, u32 line) { @@ -494,7 +499,6 @@ static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, } - static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, const char* func, u32 line) { @@ -505,7 +509,6 @@ static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, } - static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, u32 line) { @@ -515,7 +518,6 @@ static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, } - static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, const char* func, u32 line) { @@ -525,7 +527,6 @@ static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, } - static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, const char* func, u32 line) { @@ -535,9 +536,8 @@ static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, } - -static inline void TRK_ck_free(void* ptr, const char* file, - const char* func, u32 line) { +static inline void TRK_ck_free(void* ptr, const char* file, const char* func, + u32 line) { TRK_free_buf(ptr, file, func, line); DFL_ck_free(ptr); @@ -546,11 +546,9 @@ static inline void TRK_ck_free(void* ptr, const char* file, /* Aliasing user-facing names to tracking functions: */ -#define ck_alloc(_p1) \ - TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_alloc_nozero(_p1) \ - TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) #define ck_realloc(_p1, _p2) \ TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) @@ -558,8 +556,7 @@ static inline void TRK_ck_free(void* ptr, const char* file, #define ck_realloc_block(_p1, _p2) \ TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_strdup(_p1) \ - TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) #define ck_memdup(_p1, _p2) \ TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) @@ -567,9 +564,9 @@ static inline void TRK_ck_free(void* ptr, const char* file, #define ck_memdup_str(_p1, _p2) \ TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_free(_p1) \ - TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) + +#endif /* ^!DEBUG_BUILD */ -#endif /* ^!DEBUG_BUILD */ +#endif /* ! _HAVE_ALLOC_INL_H */ -#endif /* ! _HAVE_ALLOC_INL_H */ diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index fa534438..fe958ac7 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -206,20 +206,20 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/cmplog-routines-pass.so", obj_path); - + // reuse split switches from laf cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/split-switches-pass.so", obj_path); - + cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/cmplog-instructions-pass.so", obj_path); - + cc_params[cc_par_cnt++] = "-fno-inline"; } @@ -245,8 +245,7 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL) - cc_params[cc_par_cnt++] = - alloc_printf("%s/libLLVMInsTrim.so", obj_path); + cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path); else cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index bd349504..320b3d96 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -260,7 +260,8 @@ static void __afl_start_forkserver(void) { } -/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ +/* A simplified persistent mode handler, used as explained in + * llvm_mode/README.md. */ int __afl_persistent_loop(unsigned int max_cnt) { diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index f6ee4a4c..586a8244 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -105,14 +105,14 @@ char CmpLogInstructions::ID = 0; bool CmpLogInstructions::hookInstrs(Module &M) { std::vector<Instruction *> icomps; - LLVMContext & C = M.getContext(); + LLVMContext & C = M.getContext(); Type * VoidTy = Type::getVoidTy(C); - IntegerType * Int8Ty = IntegerType::getInt8Ty(C); - IntegerType * Int16Ty = IntegerType::getInt16Ty(C); - IntegerType * Int32Ty = IntegerType::getInt32Ty(C); - IntegerType * Int64Ty = IntegerType::getInt64Ty(C); - + IntegerType *Int8Ty = IntegerType::getInt8Ty(C); + IntegerType *Int16Ty = IntegerType::getInt16Ty(C); + IntegerType *Int32Ty = IntegerType::getInt32Ty(C); + IntegerType *Int64Ty = IntegerType::getInt64Ty(C); + #if LLVM_VERSION_MAJOR < 9 Constant * #else @@ -120,8 +120,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { #endif c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty #if LLVM_VERSION_MAJOR < 5 - , - NULL + , + NULL #endif ); #if LLVM_VERSION_MAJOR < 9 @@ -137,8 +137,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { #endif c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty #if LLVM_VERSION_MAJOR < 5 - , - NULL + , + NULL #endif ); #if LLVM_VERSION_MAJOR < 9 @@ -154,8 +154,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { #endif c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty #if LLVM_VERSION_MAJOR < 5 - , - NULL + , + NULL #endif ); #if LLVM_VERSION_MAJOR < 9 @@ -171,8 +171,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { #endif c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty #if LLVM_VERSION_MAJOR < 5 - , - NULL + , + NULL #endif ); #if LLVM_VERSION_MAJOR < 9 @@ -339,29 +339,32 @@ bool CmpLogInstructions::hookInstrs(Module &M) { errs() << "Hooking " << icomps.size() << " cmp instructions\n"; for (auto &selectcmpInst : icomps) { - + IRBuilder<> IRB(selectcmpInst->getParent()); IRB.SetInsertPoint(selectcmpInst); auto op0 = selectcmpInst->getOperand(0); auto op1 = selectcmpInst->getOperand(1); - + IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType()); IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType()); - unsigned max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth() ? - intTyOp0->getBitWidth() : intTyOp1->getBitWidth(); + unsigned max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth() + ? intTyOp0->getBitWidth() + : intTyOp1->getBitWidth(); std::vector<Value *> args; args.push_back(op0); args.push_back(op1); switch (max_size) { + case 8: IRB.CreateCall(cmplogHookIns1, args, "tmp"); break; case 16: IRB.CreateCall(cmplogHookIns2, args, "tmp"); break; case 32: IRB.CreateCall(cmplogHookIns4, args, "tmp"); break; case 64: IRB.CreateCall(cmplogHookIns8, args, "tmp"); break; default: break; + } } @@ -383,7 +386,7 @@ bool CmpLogInstructions::runOnModule(Module &M) { } static void registerCmpLogInstructionsPass(const PassManagerBuilder &, - legacy::PassManagerBase &PM) { + legacy::PassManagerBase &PM) { auto p = new CmpLogInstructions(); PM.add(p); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index f85f8caa..9fdc23ea 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -407,7 +407,8 @@ void afl_forkserver(CPUState *cpu) { } -/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ +/* A simplified persistent mode handler, used as explained in + * llvm_mode/README.md. */ void afl_persistent_loop(void) { diff --git a/src/afl-as.c b/src/afl-as.c index 914848df..a89b8636 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -520,8 +520,10 @@ int main(int argc, char** argv) { if (argc < 2 || (argc == 2 && strcmp(argv[1], "-h") == 0)) { - fprintf(stdout, - "afl-as" VERSION " by Michal Zalewski\n" + fprintf( + stdout, + "afl-as" VERSION + " by Michal Zalewski\n" "\n%s [-h]\n\n" "This is a helper application for afl-fuzz. It is a wrapper around GNU " "'as',\n" @@ -546,8 +548,8 @@ int main(int argc, char** argv) { "AFL_KEEP_ASSEMBLY: leave instrumented assembly files\n" "AFL_AS_FORCE_INSTRUMENT: force instrumentation for asm sources\n" "AFL_HARDEN, AFL_USE_ASAN, AFL_USE_MSAN, AFL_USE_UBSAN:\n" - " used in the instrumentation summary message\n" - ,argv[0]); + " used in the instrumentation summary message\n", + argv[0]); exit(1); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 1858fabd..15dd4d14 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1972,25 +1972,25 @@ void check_binary(u8* fname) { if (!qemu_mode && !unicorn_mode && !dumb_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - SAYF( - "\n" cLRD "[-] " cRST - "Looks like the target binary is not instrumented! The fuzzer depends " - "on\n" - " compile-time instrumentation to isolate interesting test cases " - "while\n" - " mutating the input data. For more information, and for tips on " - "how to\n" - " instrument binaries, please see %s/README.md.\n\n" - - " When source code is not available, you may be able to leverage " - "QEMU\n" - " mode support. Consult the README.md for tips on how to enable this.\n" - - " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " - "fuzzer.\n" - " For that, you can use the -n option - but expect much worse " - "results.)\n", - doc_path); + SAYF("\n" cLRD "[-] " cRST + "Looks like the target binary is not instrumented! The fuzzer depends " + "on\n" + " compile-time instrumentation to isolate interesting test cases " + "while\n" + " mutating the input data. For more information, and for tips on " + "how to\n" + " instrument binaries, please see %s/README.md.\n\n" + + " When source code is not available, you may be able to leverage " + "QEMU\n" + " mode support. Consult the README.md for tips on how to enable " + "this.\n" + + " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " + "fuzzer.\n" + " For that, you can use the -n option - but expect much worse " + "results.)\n", + doc_path); FATAL("No instrumentation detected"); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f68f063d..e81c7d9f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -112,7 +112,8 @@ static void usage(u8* argv0) { "entering the\n" " pacemaker mode (minutes of no new paths, 0 = " "immediately).\n" - " a recommended value is 10-60. see docs/README.MOpt.md\n" + " a recommended value is 10-60. see " + "docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU, just use -c 0.\n\n" diff --git a/src/afl-showmap.c b/src/afl-showmap.c index c8c35525..3ea10d38 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -647,8 +647,8 @@ static void usage(u8* argv0) { " -c - allow core dumps\n\n" "This tool displays raw tuple data captured by AFL instrumentation.\n" - "For additional help, consult %s/README.md.\n" - , argv0, MEM_LIMIT, doc_path); + "For additional help, consult %s/README.md.\n", + argv0, MEM_LIMIT, doc_path); exit(1); |